Code Review / vpp.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | review | tree
raw | inline | side by side
ipsec: IPSec interface correct drop w/ no protection
[vpp.git] / src / vnet / ipsec / ipsec_input.c
diff --git a/src/vnet/ipsec/ipsec_input.c b/src/vnet/ipsec/ipsec_input.c
index aa7627d..96bad28 100644 (file)
--- a/src/vnet/ipsec/ipsec_input.c
+++ b/src/vnet/ipsec/ipsec_input.c
@@ -111,17 +111,17 @@ ipsec_input_protect_policy_match (ipsec_spd_t * spd, u32 sa, u32 da, u32 spi)
   vec_foreach (i, spd->policies[IPSEC_SPD_POLICY_IP4_INBOUND_PROTECT])
   {
     p = pool_elt_at_index (im->policies, *i);
-    s = pool_elt_at_index (im->sad, p->sa_index);
+    s = ipsec_sa_get (p->sa_index);
 
     if (spi != s->spi)
       continue;
 
     if (ipsec_sa_is_set_IS_TUNNEL (s))
       {
-       if (da != clib_net_to_host_u32 (s->tunnel_dst_addr.ip4.as_u32))
+       if (da != clib_net_to_host_u32 (s->tunnel.t_dst.ip.ip4.as_u32))
          continue;
 
-       if (sa != clib_net_to_host_u32 (s->tunnel_src_addr.ip4.as_u32))
+       if (sa != clib_net_to_host_u32 (s->tunnel.t_src.ip.ip4.as_u32))
          continue;
 
        return p;
@@ -167,17 +167,17 @@ ipsec6_input_protect_policy_match (ipsec_spd_t * spd,
   vec_foreach (i, spd->policies[IPSEC_SPD_POLICY_IP6_INBOUND_PROTECT])
   {
     p = pool_elt_at_index (im->policies, *i);
-    s = pool_elt_at_index (im->sad, p->sa_index);
+    s = ipsec_sa_get (p->sa_index);
 
     if (spi != s->spi)
       continue;
 
     if (ipsec_sa_is_set_IS_TUNNEL (s))
       {
-       if (!ip6_address_is_equal (sa, &s->tunnel_src_addr.ip6))
+       if (!ip6_address_is_equal (sa, &s->tunnel.t_src.ip.ip6))
          continue;
 
-       if (!ip6_address_is_equal (da, &s->tunnel_dst_addr.ip6))
+       if (!ip6_address_is_equal (da, &s->tunnel.t_dst.ip.ip6))
          continue;
 
        return p;
@@ -294,7 +294,12 @@ VLIB_NODE_FN (ipsec4_input_node) (vlib_main_t * vm,
          if (PREDICT_TRUE ((p0 != NULL)))
            {
              ipsec_bypassed += 1;
+
              pi0 = p0 - im->policies;
+             vlib_increment_combined_counter (
+               &ipsec_spd_policy_counters, thread_index, pi0, 1,
+               clib_net_to_host_u16 (ip0->length));
+
              goto trace0;
            }
          else
@@ -312,7 +317,12 @@ VLIB_NODE_FN (ipsec4_input_node) (vlib_main_t * vm,
          if (PREDICT_TRUE ((p0 != NULL)))
            {
              ipsec_dropped += 1;
+
              pi0 = p0 - im->policies;
+             vlib_increment_combined_counter (
+               &ipsec_spd_policy_counters, thread_index, pi0, 1,
+               clib_net_to_host_u16 (ip0->length));
+
              next[0] = IPSEC_INPUT_NEXT_DROP;
              goto trace0;
            }
@@ -380,7 +390,12 @@ VLIB_NODE_FN (ipsec4_input_node) (vlib_main_t * vm,
          if (PREDICT_TRUE ((p0 != NULL)))
            {
              ipsec_bypassed += 1;
+
              pi0 = p0 - im->policies;
+             vlib_increment_combined_counter (
+               &ipsec_spd_policy_counters, thread_index, pi0, 1,
+               clib_net_to_host_u16 (ip0->length));
+
              goto trace1;
            }
          else
@@ -398,7 +413,12 @@ VLIB_NODE_FN (ipsec4_input_node) (vlib_main_t * vm,
          if (PREDICT_TRUE ((p0 != NULL)))
            {
              ipsec_dropped += 1;
+
              pi0 = p0 - im->policies;
+             vlib_increment_combined_counter (
+               &ipsec_spd_policy_counters, thread_index, pi0, 1,
+               clib_net_to_host_u16 (ip0->length));
+
              next[0] = IPSEC_INPUT_NEXT_DROP;
              goto trace1;
            }
Vector Packet Processing